CompTIA Security+ Certification Study Guide,blackhawk.cs.mercer.edu/courses/David Cozart/IST...

CertPrs8/CompTIA Security+Certification Study Guide/Clarke/128-8/Front Matter Blind Folio i

CompTIA Security+™ Certification Study Guide,

Second Edition

(Exam SY0-401)

Glen E. Clarke

New York Chicago San Francisco Athens London Madrid Mexico City Milan

New Delhi Singapore Sydney Toronto

McGraw-Hill Education is an independent entity from CompTIA. This publication and CD-ROM may be used in assisting students to prepare for the CompTIA Security+™ exam. Neither CompTIA nor McGraw-Hill Education warrant that use of this publication and CD-ROM will ensure passing any exam. CompTIA and CompTIA Security+ are trademarks or registered trademarks of CompTIA in the United States and/or other countries. All other trademarks are trademarks of their respective owners.

00-FM.indd 1 23/05/14 2:41 PM

CertPrs8/CompTIA Security+Certification Study Guide/Clarke/128-8/Front Matter

ix

CONTENTS AT A GLANCE

1 Networking Basics and Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

2 Introduction to Security Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

3 Security Policies and Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

4 Types of Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

5 System Security Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

6 Mitigating Security Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

7 Implementing System Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271

8 Securing the Network Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331

9 Wireless Networking and Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379

10 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433

11 Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457

12 Introduction to Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493

13 Managing a Public Key Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533

14 Physical Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 569

15 Risk Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599

16 Disaster Recovery and Business Continuity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625

17 Introduction to Computer Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 667

18 Security Assessments and Audits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 709

00-FM.indd 9 23/05/14 2:41 PM

http://www.comptiastore.com

xiv CompTIA Security+ Certification Study Guide


✓ Two-Minute Drill . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 Q&A Self Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

Self Test Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

5 System Security Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181Identifying Physical Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

Snooping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182Theft and Loss of Assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183Human Error . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184Sabotage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185

Looking at Malicious Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185Privilege Escalation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185Viruses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186Exercise 5-1: Looking at the NetBus Trojan Virus . . . . . . . . . . 188Other Malicious Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194Protecting Against Malicious Software . . . . . . . . . . . . . . . . . . . . . . . . . . 199

Threats Against Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200BIOS Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200USB Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201Cell Phones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202Exercise 5-2: Exploiting a Bluetooth Device . . . . . . . . . . . . . . . . 203Removable Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206Network Attached Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206PBX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208



6 Mitigating Security Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219Understanding Operating System Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220

Uninstall Unnecessary Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221Disable Unnecessary Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224Exercise 6-1: Disabling the Messenger Service . . . . . . . . . . . . . . 226Protect Management Interfaces and Applications . . . . . . . . . . . . . 227Disable Unnecessary Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228Patch System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229Password Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

00-FM.indd 14 23/05/14 2:41 PM

Contents xv


System Hardening Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231Network Security Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231Exercise 6-2: Hardening a Network Switch . . . . . . . . . . . . . . . . . . 234Tools for System Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236Exercise 6-3: Creating a Security Template . . . . . . . . . . . . . . . . . . 240Security Posture and Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245

Establishing Application Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247Secure Coding Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247Application Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

Server Hardening Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252All Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252HTTP Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252DNS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253Exercise 6-4: Limiting DNS Zone Transfers . . . . . . . . . . . . . . . . . 254DHCP Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255SMTP Servers and FTP Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256Mitigate Risks in Static Environments . . . . . . . . . . . . . . . . . . . . . . . . . . 256



7 Implementing System Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 271Implementing Personal Firewalls and HIDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272

Personal Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272Exercise 7-1: Configuring TCP Wrappers in Linux . . . . . . . . . 282Host-Based IDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283

Protecting Against Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284Patch Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284Using Antivirus and Anti-spam Software . . . . . . . . . . . . . . . . . . . . . . . 290Spyware and Adware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295Phish Filters and Pop-up Blockers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296Exercise 7-2: Manually Testing a Web Site for Phishing . . . 299Practicing Good Habits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299

Device Security and Data Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300Hardware Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300Mobile Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300Data Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303Exercise 7-3: Configuring Permissions in Windows 8 . . . . . . . 306

00-FM.indd 15 23/05/14 2:41 PM

CertPrs8/CompTIA Security+Certification Study Guide/Clarke/128-8/Chapter 6 Blind Folio 219

6Mitigating Security Threats

CERTIFICATION OBJECTIVES

6.01 Understanding Operating System Hardening

6.02 System Hardening Procedures

6.03 Establishing Application Security

6.04 Server Hardening Best Practices

✓ Two-Minute Drill

Q&A Self Test

06-ch06.indd 219 23/05/14 1:25 PM

220 Chapter 6: Mitigating Security Threats

CertPrs8/CompTIA Security+Certification Study Guide/Clarke/128-8/Chapter 6

A big part of securing systems is to ensure that you follow best practices regarding operating system hardening and application security. System hardening is the concept of removing unnecessary software and features from a system. The principle is based on

the likelihood that the more software installed on a system and the more features of the operating system that are installed, the more vulnerabilities exist and the more ways the hacker can get into your system.

This chapter focuses on how to mitigate system security threats by following good operating system hardening and application hardening techniques.

CERTIFICATION OBJECTIVE 6.01

Understanding Operating System HardeningOperating system hardening is the process of removing unnecessary features of the operating system, disabling unnecessary services, and removing unnecessary accounts. The purpose of removing unnecessary features from the system is to reduce the attack surface, which are the components of a system that the hacker can hack into. You therefore need to reduce the amount of software that is running on the system (see Figure 6-1).

You need to perform a number of tasks to harden a system. Most of the tasks deal with removing unnecessary components, uninstalling unnecessary software, disabling unneeded services, and disabling unnecessary accounts. This section outlines some of the core steps that should be taken to harden a system.

For the Security+ certification exam, know the concept of system hardening and what is involved in system hardening—it is the process of

uninstalling unnecessary software and disabling unneeded services from a system. Hardening also involves patching the system and disabling unused accounts.

06-ch06.indd 220 23/05/14 1:25 PM

Understanding Operating System Hardening 221


Uninstall Unnecessary SoftwareThe first step to hardening a system is to be sure to uninstall any unnecessary software from the system. First focus on uninstalling unnecessary third-party software that may be installed on the system. For example, when you purchase a new computer from a store, often the system comes with a bunch of software preinstalled that you never use. From a company security viewpoint, the system should be reformatted and a fresh install of the operating system applied, either manually or through an image. For a personal computer used at home, if you cannot reinstall a fresh copy of the operating system, review the installed software and remove each piece of software you are not going to use.

FIGURE 6-1 Uninstalling software reduces the attack surface of the system.

06-ch06.indd 221 23/05/14 1:25 PM



Note that the Windows operating systems today have minimal features or roles installed, but you can uninstall third-party applications from Windows 7/8 or the Server 2008/2012 operating systems by following these steps:

1. On a Windows 7 or Server 2008 system, click the Start button and choose Control Panel. With Windows 8 and Server 2012, type control panel while on the Start screen and then choose the Control Panel from the search results.

2. Once in the Control Panel, click Programs (see Figure 6-2).3. Choose “Uninstall a program.”4. You are then presented with a list of applications that have been installed. To

remove an application, select it and choose Uninstall.

After you uninstall any applications that should be removed because you have no intention of using the software, you can then focus on removing operating system components that are not going to be used. For example, back in the Windows 2000 Server days, Microsoft had their web server software, Internet Information Services (IIS), installed by default. This created huge security issues because IIS had a number of vulnerabilities such as folder traversing and buffer overflow attacks. Had the network administrator uninstalled IIS, those exploits would not have worked on that server.

FIGURE 6-2 Managing installed programs on a Windows system

06-ch06.indd 222 23/05/14 1:25 PM



To uninstall features of the operating system that are not going to be used in Windows 7/8 or Server 2008/2012, follow these steps:

1. On a Windows 7 or Server 2008 system, click the Start button and choose Control Panel. With Windows 8 and Server 2012, type control panel while on the Start screen and then choose the Control Panel from the search results.

2. Once in the Control Panel, click Programs.3. Choose “Turn Windows features on or off.”4. This launches Server Manager. Select Features on the left side of the window

(see Figure 6-3).5. Choose the link to Remove Features.6. You are presented with a list of Windows features that have been installed.

To uninstall a feature, turn off its check box, and choose Remove after all the unwanted features have been unchecked.

FIGURE 6-3 Looking at adding/removing operating system features in Windows Server 2008

06-ch06.indd 223 23/05/14 1:25 PM



Disable Unnecessary ServicesOnce you have uninstalled all the unnecessary software, shift your focus to the services (Windows) or daemons (Linux) that are running in the background on the system. Each service provides a piece of functionality to the operating system. For example, the following services are commonly found on Windows systems:

■ Print Spooler service This service is responsible for printing in the Windows environment.

■ Workstation service This service allows your system to connect to shared folders on another system.

■ Server service This service allows others to connect to shared folders on your system.

■ Messenger service This service is responsible for sending messages to other users or computers when someone uses the net send command. This service should be disabled.

The key point here is that as a security professional responsible for hardening a system, you must get a listing of services running on a system and then evaluate whether each service is needed. If a service is not needed, then you will disable the service through the Services console in Windows on a single machine, or to disable services for many machines, you could centrally disable services in an Active Directory domain using Group Policy. To view a list of services in Windows, follow these steps:

1. On the Windows system, choose Start | Administrative Tools | Services.2. Right-click the service you wish to stop and then choose Stop.3. To ensure that the service does not automatically start the next time Windows

boots, you must change the startup type to disabled. Right-click the service and choose Properties (see Figure 6-4).

4. Change the “Startup type” to Disabled.5. Choose OK.

06-ch06.indd 224 23/05/14 1:25 PM



FIGURE 6-4 Modify the service to not start automatically on reboot.

INSIDE THE EXAM

The Security+ certification exam will test your knowledge of the concept of system hardening and system hardening procedures. Remember that system hardening is the removal of unnecessary software and the disabling of unnecessary services on the system. These services could be susceptible to buffer overflow attacks, so the fewer of them that are running, the better!

When hardening the system, be sure to spend some time investigating the services that are running and then determine what the service does. After discovering the purpose of the service, you then need to decide if it is a service you need running or not. Make sure you have a test system so that you can determine the results of disabling the service and ensure it does not negatively impact the system.

INSIDE THE EXAM

Understanding System Hardening

06-ch06.indd 225 23/05/14 1:25 PM



EXERCISE 6-1

Disabling the Messenger ServiceIn this exercise, you will investigate the security risks associated with the messenger service running in Windows and then disable the service. Note that a patched Windows XP system will have this service already disabled, and newer versions of Windows have removed this service due to the risks associated with it.

1. Ensure that you have the 2012ServerA and Windows XP VMs running. Log out of each system.

2. Switch to the Windows XP VM and then start a command prompt.3. At the command prompt, type nbtstat -A 10.0.0.2. This will display the

NetBIOS name table on the system. The messenger service will register in this table both the computer name of the system and the username of the locally logged-on user. Each of these entries will show with a <03> code after the name. Do you see the entries? ______ In the following example, they are XPPRO_SP2 and STUDENT:

06-ch06.indd 226 23/05/14 1:25 PM



4. Next you will stop the messenger service so that the information is not displayed in the NetBIOS name table. Choose Start | Administrative Tools | Services.

5. Right-click the Messenger service and choose Stop.6. At the command prompt, type nbtstat -A 10.0.0.2. Do you still see the

entries in the table with <03>? ______

Protect Management Interfaces and ApplicationsWhen securing systems, make sure that you limit access to the management software (interfaces). The principle here is if the management tool is unavailable to certain employees, then they will be unable to change the configuration of the system or applications.

You can restrict access to the management interfaces of the system and applications in a number of ways, and one of the best ways is to use the policies provided by the system. Also, starting with Windows Vista, Microsoft now limits access to certain commands if the person logged in does not have the privilege to execute the command. This feature is called User Account Control (UAC).

Do not rely on someone not having a program—malicious users will find a way to get the program to make a change. It is also important to limit user privileges and permissions.

06-ch06.indd 227 23/05/14 1:25 PM



Disable Unnecessary AccountsAn often overlooked aspect to hardening a system is to disable any accounts that are not being used. You may not want to delete the account right away because you may find out that a person in the company needs the account, or a piece of software you have running on the system may need the account. Take note that the Administrator account is disabled by default in Windows 7 and Windows 8.

To disable an account in Windows, you can follow these steps:

1. In Windows 7, choose Start | Control Panel | System and Security | Administrative Tools | Computer Management. With Windows 8 and Server 2012, type control panel while on the Start screen and then choose the Control Panel from the search results. Then choose System and Security | Administrative Tools | Computer Management.

2. In the Computer Management console, expand “Local Users and Groups” on the left side.

3. Select the Users folder to see a list of user accounts on the system (see Figure 6-5).

4. Right-click the user you wish to disable and choose Properties.5. In the Properties window, choose the “Account is disabled” option.6. Choose OK.

FIGURE 6-5 Looking at a list of users in Windows Server 2008

06-ch06.indd 228 23/05/14 1:25 PM



Not only should you disable unnecessary accounts, but you should also keep a close eye on how many accounts have administrative access to the system. In some environments, it is recommended that a maximum of only two accounts have administrative privileges.

Patch SystemOne of the key next steps you take to harden the system is to ensure that you patch the system. When you patch the system, you are applying software fixes to known bugs in the software running on the system. These bugs in the software are what the hackers are exploiting to gain access to the system. If you are not patching the system, then you can be sure that your system can be compromised by a seasoned hacker!

Patches to be familiar with for the Security+ exam include the following:

■ Security hot-fix A security hot-fix is a critical security update that should be applied to your system as quickly as possible because the vulnerability opens the system to serious security risks.

■ Patch A patch is a fix to a particular problem in software or operating system code that is not required to be applied immediately because the security risk is not as severe as that addressed by a hot-fix.

■ Service pack A service pack is all updates for a product, including patches and security hot-fixes, from the time the product was released up to the time of the service pack. If you install a service pack, you will not need to install each patch individually because the service pack includes all updates up to that point. You will need to install patches and security fixes that come out after the service pack.

To patch the system, you can run the Windows Update program from within the Start menu, or use centralized patch management software such as WSUS (Windows Server Update Services) to deploy patches to a number of systems at one time. It is important that as a security professional you evaluate how patches are being deployed to the systems and ensure that the strategy is keeping the systems up to date with security fixes.

For the Security+ exam, remember that part of system hardening is to ensure that unnecessary user accounts are disabled or removed.

06-ch06.indd 229 23/05/14 1:25 PM



As part of the patch deployment strategy, ensure that network administrators are not applying patches to systems without first testing the patches. Administrators should have a group of test systems that they deploy the patches to first to ensure the patch does not cause business applications to stop working. Once the patch has been verified against the test systems, it should be deployed to a small group of production systems. After verifying that the

patch has not caused issues with the small group of production systems, you can then deploy the patch to a larger group.

Password ProtectionA final practice you should incorporate into your system hardening procedure is placing password protection features on your asset. From a system point of view, this means that you will ensure that you have password protected the CMOS setup program so that unauthorized changes to the CMOS cannot occur. Also, make sure that the system prompts for a password when the operating system loads. Most systems today will ask for a username and password (which is better than just a password), but the point is that you want to make sure that no systems log on automatically when booted.

Consider password protecting other resources such as routers, switches, and maybe even printers. Most people do not think about using passwords for their mobile devices such as laptops or mobile phones—these devices contain sensitive company information, so they should be password protected when the system boots up as well.

Not only should the system require a password when booted, but also make sure that you are following good password practices on these devices. All passwords should be a minimum of eight characters long and should use a mix of lowercase and uppercase characters, numbers, and symbols. Also be sure that users are not writing down the passwords, because it is easy for someone to find the paper that the password was written on.

It is critical for the security of the system that you keep the system patched. Keeping a system patched will help remove vulnerabilities in software that typically allow hackers into the system.

06-ch06.indd 230 23/05/14 1:25 PM

System Hardening Procedures 231



System Hardening ProceduresNow that you have a general idea of what system hardening is, let’s look at some of the popular tools security administrators are using to harden networks and systems. In this section you will learn about network hardening and some of the software tools used.

Network Security HardeningThe first aspect of network hardening that you need to consider is updating the firmware on all networking devices. Network devices, although hardware, are like computers in the sense that they are run by software. The software that runs the network devices is known as firmware and is stored in flash memory known as EEPROM (Electrically Erasable Programmable Read-Only Memory). You can normally go to the manufacturer’s web site for the device and download a revised, updated version of the firmware. This version of the firmware will contain fixes to any bugs at the time it was created.

After you update the firmware, be sure that you have configured a password for the device so that only authorized individuals can manage the device. Most devices today such as routers and switches support a web management interface, which you should password protect and configure to use HTTPS if supported.

When looking at hardening the network, ensure you are using the most secure devices possible. For example, use switches instead of hubs because the switches have a filtering feature where the switch sends the traffic only to the port that the destination system resides on. This means that it is hard for someone to put a sniffer on the network and capture the traffic because the traffic never reaches the device doing the packet sniffing. Back when hubs were popular network devices, the packets would be sent to all ports on the hub, and anyone with a sniffer installed on their system could view all the network traffic.

Port SecurityMost network switches today support a feature known as port security—limiting which systems can connect to a port on the switch by listing specific MAC addresses with the port. Port security is also known as MAC limiting because you are limiting by MAC addresses which systems can connect to a port.

06-ch06.indd 231 23/05/14 1:25 PM



The following code shows how you can configure port security on a Cisco switch. This example limits which systems can connect to port 1 on the switch by configuring a MAC address for that switch port:

NY-SW1>enable NY-SW1#config term NY-SW1(config)#interface f0/1 NY-SW1(config-if)#switchport mode access NY-SW1(config-if)#switchport port-security NY-SW1(config-if)#switchport port-security mac-address 0000.1111.2222 NY-SW1(config-if)#switchport port-security maximum 1 NY-SW1(config-if)#switchport port-security violation shutdown

Let’s review the preceding code. The first three lines are used to navigate to fast Ethernet port 1 on the switch. Then the port is placed in access mode so that the workstation can connect to the port, and the port security feature is enabled with the switchport port-security command. The lines that follow are used to configure a

MAC address (0000.1111.2222) for the port and then to configure a maximum of one address for that port so that the switch does not learn any additional MAC addresses for that port. Finally, you configure the port to disable (shutdown) if there is an address violation, meaning if someone with a different MAC address connects to the port, you want to disable the port so that network access is not allowed.

MAC Limiting and FilteringMAC filtering is a popular access control method implemented with many different devices such as network switches and wireless access points. With a wireless access point you can implement MAC filtering to control which MAC addresses can connect to the wireless network.

MAC filtering on a switch has a slightly different meaning in that it allows you to restrict which systems can send data to other systems on the network. Filtering on a switch is usually configured along with the port security feature and allows you to restrict which ports on the switch are allowed to be “source ports” for data sent to a particular system.

Remember for your exam that port security is an important feature of the network switch that allows you to control which systems can connect to a specific port by MAC address.

06-ch06.indd 232 23/05/14 1:25 PM



Disable Unused Interfaces (Ports)Not only should you limit which systems can connect to which ports on the switch, but you should also look at disabling any unused ports on the switch. This will stop someone from walking into your office, plugging into a port with their laptop, and gaining access to your network. The following code demonstrates how to navigate to port 2 on a switch and then to disable the port with the shutdown command:

NY-SW1>enable NY-SW1#config term NY-SW1(config)#interface f0/2 NY-SW1(config-if)#shutdown

You can also disable a group of ports at one time by selecting a range of ports with the interface range command on the Cisco switch. After the ports are selected, you can use the shutdown command to disable those ports, as shown next:

NY-SW1>enable NY-SW1#config term NY-SW1(config)#interface range f0/4—8 NY-SW1(config-if-range)#shutdown

After you have disabled all unused ports, a time may come when a port needs to be enabled because a new employee has been hired and needs a connection to the network. To enable a port on a Cisco switch, you navigate to the port and then use the no shutdown command:

NY-SW1>enable NY-SW1#config term NY-SW1(config)#interface f0/4 NY-SW1(config-if)#no shutdown

802.1xA popular approach for hardening the network is to ensure that anyone who connects to the network supplies valid credentials before the network connection is allowed. This is different from normal operating system logon in the sense that when you log on to a system, the system

typically already has network access. The 802.1x standard is an IEEE standard for controlling access to the network (both wired and wireless) and is typically referred to as port-based access control protection. With 802.1x you are not given access to the network until you authenticate to the 802.1x environment.

For the exam, remember that any unused ports on the switch should be disabled as part of the process of hardening the network.

06-ch06.indd 233 23/05/14 1:25 PM



The way that 802.1x works is that you have a client such as a desktop system, laptop, or network device that wishes to connect to a network switch or wireless access point. The network switch or wireless device is known as the authenticator and needs to have the connecting devices authenticated before granting network access. The switch or wireless access point sends an authentication request to a central authentication server running

protocols such as RADIUS or DIAMETER (see Figure 6-6). These are common authentication servers for different types of network environments.

EXERCISE 6-2

Hardening a Network SwitchIn this exercise, you will harden a network switch by disabling port 3 on the switch because no system is planned for that port. You will also configure port security on port 10 so that only your MAC address can be used on that port.

1. Ensure you have a Cisco switch powered on. Connect to the console port on the switch from your station’s serial port.

FIGURE 6-6 802.1x involves a network device sending an authentication request to a central authentication server.

Remember for your exam that 802.1x is a common authentication protocol to control who gains access to the physical network resources such as connecting to a switch or wireless access point.

06-ch06.indd 234 23/05/14 1:25 PM



2. To disable port 3 on the switch, type the following commands:

NY-SW1>enable NY-SW1#config term NY-SW1(config)#interface f0/3 NY-SW1(config-if)#shutdown

3. To configure port security on port 10, type the following command and use your MAC address where indicated (use the format of 1111.2222.3333):

NY-SW1(config)#interface f0/10 NY-SW1(config-if)#switchport mode access NY-SW1(config-if)#switchport port-security NY-SW1(config-if)#switchport port-security mac-address <MAC> NY-SW1(config-if)#switchport port-security maximum 1 NY-SW1(config-if)#switchport port-security violation shutdown

4. Connect a workstation other than the one with your MAC address to port 10, and try to ping another system on the network. Were you successful? ______

Rogue Machine DetectionPart of the job of monitoring your network environment is monitoring the network for rogue machines and devices. A rogue machine is a machine connected to the network that does not belong there. There are a number of different reasons why an individual may connect a system or device to the network:

■ A rogue system Someone may connect a system that runs a packet sniffer to the network with the intent of capturing confidential information such as passwords transmitted across the network.

■ A rogue device An example of a rogue device is a wireless router being connected to the network. An employee may connect a wireless router to the network to allow them to roam throughout the office with a mobile device or laptop and use the company network for Internet access.

Although hardening the network infrastructure and using features such as port security on a network switch should reduce the chances of having a rogue system or device connected to your network, it is important to ensure you monitor and track which systems and devices are connected to the network. Once you identify an unauthorized device connected to the network, you should disable that port on the switch immediately and then investigate the rogue system or device.

06-ch06.indd 235 23/05/14 1:25 PM



Tools for System HardeningNow that you are familiar with some popular techniques for controlling who has access to the network, let’s look at some of the common tools you can use to harden a system. You will need to be familiar with these concepts for the Security+ certification exam, so be sure to try them!

Group PoliciesThe first important tool for hardening a Windows system is known as group policy. Group policy is a core feature of Windows that allows the network administrator to enable and disable different features in Windows, for example, group membership, services running, password policies, and desktop restrictions such as whether the user should have the run command available.

Group policies can be configured on the local system (the system the administrator is configuring) or can be centrally configured in the Active Directory domain, which means the settings will apply to a number of systems and users every 90 minutes, or on next user logon, or on system restart.

To configure group policies on a single system, choose the Start button and then type mmc (for Microsoft Management Console). Once in the MMC, choose the File | Add/Remove Snap-in command. When you have a list of snap-ins in front of you, then choose the Group Policy Object Editor and choose Add. Choose the Finish button to accept that you are configuring the local computer and then choose OK.

You are now ready to configure the local group policies on the system (see Figure 6-7). Group policies are divided into two categories—computer and user settings. The computer settings apply to the machine no matter who is logged on, while the user settings apply to the user account. To summarize the difference between the two—the user settings typically contain ways to restrict the desktop settings, while the computer settings allow you to harden the system with password policies by disabling services and with software restrictions (what software is allowed to run on the system), to name a few.

The following is a quick description of some of the common policies found in the Computer Configuration settings section of group policies:

■ Windows Settings | Scripts (Startup/Shutdown) In this policy, you can configure a startup script for when the computer first boots up or a shutdown script for when the computer is shut down.

■ Security Settings | Account Policies This policy section allows you to configure policies related to user accounts such as account lockout and password policies.

06-ch06.indd 236 23/05/14 1:25 PM



■ Security Settings | Local Policies A very important policy section that relates to system hardening. In this section, you can configure user rights on the system, auditing, and other security settings such as creating a logon banner.

■ Security Settings | Windows Firewall and Advanced Security This policy allows you to configure the new firewall feature built into Windows systems after Windows XP.

■ Security Settings | Software Restriction Policies This policy allows you to configure what software is allowed to run on the system.

■ Security Settings | Advanced Audit Policy Configuration This policy allows you more control over the auditing of the system and the types of events you want to audit.

The following outlines some of the popular settings found in the User Configuration of group policies:

■ Windows Settings | Scripts (Logon/Logoff) This policy is used to configure scripts that execute when a user logs on or off.

■ Windows Settings | Internet Explorer Maintenance This policy is used to configure settings in IE such as a favorites list or default home page.

FIGURE 6-7 Looking at the Group Policy Object Editor in Windows

06-ch06.indd 237 23/05/14 1:25 PM



■ Administrative Templates | Control Panel This policy allows you to enable or disable features of the Control Panel in Windows. The benefit here is that by disabling components in the Control Panel, you can keep users from making system changes.

■ Administrative Templates | Desktop This policy setting allows you to control what icons should appear on the desktop such as My Computer, Internet Explorer, or My Documents.

■ Administrative Templates | Start Menu and Taskbar This policy setting allows you to control what items can appear in the Start menu such as the Run command or the Search command.

If you want to modify the policies for all systems on the network, you can configure a group policy at the domain level. You can also configure a group policy on a specific organizational unit (OU) in Active Directory so that the policy only applies to the computers or users within a specific OU. For example, you may want to ensure Tom is a local administrator of all the computers in the Accounting department. You could configure a group policy on the Accounting OU that places Tom in the Administrators group of all Accounting systems. This saves you from having to go to each system in the Accounting department and place Tom in the Administrators group manually. Figure 6-8 shows using the Group Policy Management Console (GPMC) to configure policies in Active Directory.

Security TemplatesAnother popular feature of Windows that allows you to harden multiple systems quickly is the security templates feature. Security templates are text files that you create that have policy settings in them. The benefit of a security template is that once you configure the template, it can then be imported into the group policies of a local system or into Active Directory.

You can create the security template by using the Security Templates snap-in in the MMC (see Figure 6-9). Once you create the template, you can then modify the policy settings in the template and then save the file.

Once you configure the template, you can then apply that template to the local group policy by using the Group Policy Object Editor snap-in or by importing the policy into Active Directory by using the Group Policy Management Editor (see Figure 6-10).

Security templates are a great way to ensure that a number of security settings are applied to a group of similar servers, such as all of your company web servers.

06-ch06.indd 238 23/05/14 1:25 PM



FIGURE 6-8 Using the Group Policy Management Console to administer policies in Active Directory

FIGURE 6-9 Looking at security templates in Windows

06-ch06.indd 239 23/05/14 1:25 PM



EXERCISE 6-3

Creating a Security TemplateIn this exercise, you will create a security template and then apply that template to the local security policy of a Windows XP system.

1. Ensure that you have the 2012ServerA and Windows 8 VM running.2. Go to the Windows 8 VM.3. Create a custom MMC and load the Security Templates snap-in:

a. On the Start screen type MMC. Right-click mmc.exe in the search results and choose “Run as administrator.” Choose Yes to allow the program to make changes to your system.

b. Choose File | Add/Remove Snap-in.c. Choose Add.

FIGURE 6-10 Importing security templates into group policies

06-ch06.indd 240 23/05/14 1:25 PM



d. Locate the Security Templates snap-in and add it from the list.e. Choose Close and then OK.

4. Expand the Security Templates node on the left and notice the folder that you will place security templates in.

5. Expand the folder (most likely starts with c:\users) on the left and then select the folder.

6. Right-click the templates folder and choose New Template. Create a template called Company_Policy.

7. Set the following policy options in the security template:a. Password Policy Settings:

Enforce password history 18 passwords rememberedMaximum password age 20 daysMinimum password age 2 daysMinimum password length 8 charactersPassword must meet complexity requirements Enabled

b. Account Lockout Policy Settings:

Account lockout duration 0 minutes (until admin unlocks)Account lockout threshold 2 invalid logon attemptsReset account lockout counter after 45 minutes

c. Security Options Policy Settings:

Accounts: Rename administrator account AdminguyInteractive logon: Do not display last user name EnabledInteractive logon: Message text for users attempting to log on

Warning! This system is for authorized users only. Anyone using this system without authorization will be prosecuted. Also, use of this system will be monitored including Internet activity, e-mail usage, and access to resources.

Interactive logon: Message title for users attempting to log on

Authorization Warning!

8. Once you have set the settings in the template, right-click the template and choose Save.

06-ch06.indd 241 23/05/14 1:25 PM



Importing the Template into the Local System9. To import the template into your local system, start up the Local Security

Policy Console from the Administrative Tools.10. Right-click Security Settings in the top-left corner and choose Import Policy.

This will allow you to choose a security template to import the settings from. Browse to your security template, and choose it as the template to import.

11. Once the template is imported, verify the settings within the local security policy to make sure that the template settings have been applied.

12. To refresh the policy, type gpupdate /force at a command prompt.13. Log off and log back on as user adminguy. Do you get the new banner? _______14. Why or why not? _______________________________________________

______________________________________________________________

Patch ManagementAs discussed earlier, applying patches to systems is a very important aspect of system hardening. As the vendors of the software you use find out about the vulnerabilities in their software, they ship out fixes to those flaws with patches. If you are not patching the systems, you are not receiving the fixes!

It is important that you plan a patching strategy instead of simply doing a Windows Update on every system. You can use software such as Windows Server Update Services (WSUS) to download, review, and deploy patches from a central server (see Figure 6-11).

The way that WSUS works is that you select the products you wish to have patches for, and then you can get a list of patches for those products. Once the patch is downloaded from the Microsoft update site, you can approve it and choose to deploy the patch to a group of systems. As mentioned earlier, you will typically apply the patch to a group of test systems first, and then if the patch does not appear to cause problems with the system, you can deploy the patch to a group of production systems.

Configuration BaselineA security baseline is a standard configuration that has been approved by the company for a specific type of system or device as being secure. This standard configuration is required for all systems in order to meet the desired security requirements of the company.

06-ch06.indd 242 23/05/14 1:25 PM



Any changes to a system after the system has the security baseline implemented must follow the change management process defined by the company. It is important that if you make a change to a system that had the security baseline applied, you evaluate the system after the change to ensure that the change has not affected the security state of the system. For example, be sure that after an administrator makes a change to the system that the change has not opened a port to the system or installed software that is vulnerable to buffer overflow attacks. Both of these unexpected results can cause your system to be compromised and therefore change the security state of the system from secure to unsecure.

You will likely have different security baselines for different types of systems and devices on the network. For example, the security baseline of a web server in the DMZ (demilitarized zone) will be much stricter than the security baseline of an internal system on the LAN. Not that you won’t secure the internal system, but it will likely have more software and services installed than the web server in a DMZ would need.

The security baseline for each type of system should be properly documented, and the steps to achieving the security baseline must be accurately recorded and tested before distributing to the security administrators. This documentation will contain the detailed steps on how to achieve the security baseline.

FIGURE 6-11 Deploying patches from a central server on the network

06-ch06.indd 243 23/05/14 1:25 PM



The security templates feature described earlier is a great way to implement security baselines in Windows.

As mentioned earlier, the security baselines are documented so that anyone configuring a specific system on the network can look to the document and know how to meet the security baseline for the system. The security baseline documentation may contain the following items:

■ Physical security requirements for the type of system ■ Network connection requirements ■ Configuration settings to help secure the system ■ Patch requirements

The configuration requirements of a baseline may contain any number of operating system or application configuration steps that are required to meet company standards on what is considered a secure system. The following are examples of some of the configuration requirements that should be considered:

■ File system All Windows systems today should be using the NTFS (New Technology File System) over the FAT/FAT32 file systems because NTFS contains features such as permissions, encryption, quotas, and auditing services.

■ Permissions The folders on the hard drives of the system should be properly secured. This includes not only any data stored on the system, but also the Windows directory and the program files directory.

■ Services running Ensure that only the required services are running on the system.

■ Network connection Be sure that the system is connected to the correct network segment.

■ Protocols running Ensure that only the required protocols are running on a system or device.

■ Firewall rules Be sure that any firewall rules that may be needed on the system are implemented to help protect the system from unwanted traffic.

■ Storage encryption Look at whether you should be encrypting information in storage—either within the file system, or maybe sensitive information in a database needs encryption.

■ Encryption of communication Investigate whether you should be encrypting data that travels along the network.

06-ch06.indd 244 23/05/14 1:25 PM



■ Patching Ensure that systems are being properly patched and that the patching level is being maintained. This is important for public servers in the DMZ because they are sometimes forgotten about after deployment.

Security Posture and ReportingIn this section you will learn how to manage the security posture of the system and the types of reporting methods used by applications to send out security notifications.

Security PostureOnce the security baseline requirements have been established and documented, it is then time to put the security baseline into practice. This section outlines key stages of managing security baselines.

Initial Baseline Configuration You will need to work with the security baseline documentation to configure the initial security baseline on a system. Of the various ways that you can easily apply the initial security baseline to a system, one of the most effective ways is imaging a system with a preconfigured image, or maybe applying a security template to a system that needs the initial security baseline.

Continuous Security Monitoring Once you have configured a system with the initial security baseline, you must then monitor the system to ensure it continues to run in a secure state. One of the popular methods to monitor the security state of the system is to perform a vulnerability scan on the system at regular intervals. A vulnerability scan will let you know about any misconfiguration to the security of the system and also let you know if it is missing any patches. Popular types of software that perform vulnerability scans are Nessus (common for Linux), Microsoft Baseline Security Analyzer (MBSA), and GFI’s LANguard. You can download and use MBSA for free from Microsoft’s web site, but Nessus and LANguard will cost you.

Remediation After running a vulnerability scanner to pick up on any configuration mistakes or missing patches, you then need to make sure that you correct the problem. Remediation is the process of correcting a fault in the system. For example, if you find a security configuration setting that was not applied to the system, then you may need to go back to the initial security baseline and make sure that the configuration step is applied.

06-ch06.indd 245 23/05/14 1:25 PM



Remediation may also involve a user trying to connect to the network, but because a Network Policy Server (NPS) is being used, it checks to see if the user has updated patches and virus definition updates. If the user does not have those specific conditions met, then the NPS places the user on a restricted subnet where the system can download and install the missing patches and virus definition update. This is an example of technology being used to aid in remediation while maintaining security because the user was placed on a restricted subnet without access to the network resources.

ReportingMost systems, devices, and applications will want to send out notification when specific events occur, but they will use different methods to report different levels of severity associated with the event. The following are popular methods of reporting you need to be familiar with for the Security+ exam.

Alarms The first type of reporting method that applications may use is an alarm. An alarm is used to report critical events that typically require some form of action from the system or network administrator. For example, an alarm may be used to notify an administrator of suspicious traffic on the network. In this case, the alarm is used to attract the attention of the network administrator so that they can investigate the issue.

Alerts An alert is a less critical type of notification used to notify the system or network administrator that a specific event has occurred, but no action may be required by the administrator. Typically, an alert is used to notify the administrator of a change that has occurred such as a system coming online or a printer being purged.

Trends A trend is a type of reporting method used to identify security issues such as someone performing a port scan on the network. Trend analysis typically involves looking at log files or packet captures and analyzing the information to identify a trend that may help the administrator understand what is happening on the network. For example, if the network administrator is looking at a packet capture and sees that the same source IP address is connecting to multiple ports within a very short time, then most likely a port scan is occurring.

06-ch06.indd 246 23/05/14 1:25 PM

Establishing Application Security 247



Establishing Application SecurityAn overlooked aspect of security is the security in the applications we use day in and day out. It is important to understand how hackers are compromising systems through applications that are running on company systems. The key lesson here is to understand that as a network administrator you can do your job and harden the system and ensure that it is up to date with patches, but if one application installed

on the system does not follow secure coding concepts, then the system could be easily compromised.

It is important that companies test any software that they create by purposely inputting invalid information into any of the data entry screens of the application. The term for software testing that inputs invalid or random data into input fields of an application is fuzzing.

Secure Coding ConceptsAs mentioned, a big part of securing systems is to ensure that the applications that are running on the systems have been developed in a secure way. This is up to the application developers—they need to learn secure ways of developing applications so that hackers cannot hack through the application to gain access to the system. Two important parts of developing secure code are writing good exception-handling routines and validating all data passed to the application.

Error and Exception HandlingWhen application developers create an application, they sometimes do not foresee errors that can occur in different situations. For example, a common error when creating a file open dialog box is not planning for the user choosing to open a file from the CD/DVD device when no CD/DVD has been placed in the system. This typically causes a runtime error, an error that does not occur until the application is running—meaning there was no indication to the developer that the error would exist when they were creating the application.

For the Security+ certification, know that applications need to be tested by purposely inputting invalid data into any data entry screens. This type of software testing is known as fuzzing.

06-ch06.indd 247 23/05/14 1:25 PM



Runtime errors will occur because the developer cannot force someone to place a CD/DVD into the CD/DVD tray before browsing to that resource. So what the developer has to do is trap the error that occurs at that point. Trapping an error means that instead of the error actually happening, the programmer intercepts the error and displays a friendly warning message instead of the application crashing (runtime errors cause the application to crash).

Exception handling is a more advanced method of error handling. Exception is a fancy term for a runtime error, and programmers such as .NET or Java developers will implement exception-handling code. Exception-handling code uses what is called a try/catch block—which means “try this code and catch any errors.” The following code is an example of a try/catch block:

Try MessageBox.Show(cdbl(txtAmount.text) + cdbl(txtTax.text)) Catch ex as InvalidCastException MessageBox.Show("Please supply two numbers as input") Catch ex as Exception MessageBox.Show("An error has occurred. Please try again.") End Try

Input ValidationDevelopers need to adhere to the idea that when someone enters information into an application and clicks a button like Save, Find, or Execute, the developer must validate the input before using it somewhere in the application. Validating input means that the developer checks to ensure that the information typed by the user into the application is appropriate for the type of input that is expected. Any input that does not pass the validation test should be discarded and not processed.

For example, in a logon screen to an application, users need to type a username and a password. The username and password are, for the most part, short words containing fewer than 14 characters. The programmer should test on this input and make sure that the username is not more than 14 characters and that the password is not more than 14 characters. Also, passwords do not have spaces in them, so the programmer should check to see if a space is used as one of the characters—and if so, should cancel processing the information because it could be malicious. Other examples of characters to watch for are dashes ( - ) and apostrophes ( ’ ). They are not normally used in passwords, but hackers will input them into a logon screen to manipulate the way the software executes.

06-ch06.indd 248 23/05/14 1:25 PM



For the Security+ exam, remember that secure in-house applications must start with the developer

validating input. You are sure to see a question regarding input validation on the Security+ exam!

Application HardeningIn this section you will learn about application hardening concepts and what you can do to help prevent security issues as they relate to applications running on your network.

Application Security IssuesTo help create a more secure environment, you should be familiar with a number of common application security issues. Each of the following presents security issues to systems today and may be tested on the Security+ exam:

■ ActiveX controls An area of concern with applications is the use of ActiveX controls. If an application or web site is using an ActiveX control, it is not necessarily a bad thing, but it does present a security concern because ActiveX controls can manipulate your system, including deleting files from the computer.

■ Java Java applications are a little different from ActiveX controls in the sense that they run in what is known as a sandbox. The sandbox is a confined area with resources that the Java application can access.

■ Scripting A number of application environments, including web sites, support scripting. Scripting is a security concern because most scripting languages can make modifications to your system. For example, in the past a script in Microsoft Office could loop through your address book in Outlook and send an e-mail to all your Outlook contacts without your consent. Today Microsoft Office has a macro security feature to help prevent this.

■ Browser The browser presents a huge security issue because most web sites have different types of content that can be run by the browser. Most active content that is to be run in a browser needs to have an add-on installed in the browser to have the content execute.

06-ch06.indd 249 23/05/14 1:25 PM



■ Cross-site scripting (XSS) As discussed earlier in the book, in cross-site scripting, the hacker inserts script code into a form on a site so that when the page is displayed by another user, the browser reads the script and executes it.

■ Cookies Cookies are preferences or logon information from the web site you visit stored in memory on your client computer or in a text file on your client computer. The security issue surrounding storing information in cookies is this: If the information is stored in a text file and someone gets access to the text file, the information is known to the person viewing the text file. The other security issue surrounding cookies is that they are sent with the HTTP traffic, so if you are not encrypting the web traffic, it is possible that someone could intercept these preferences or logon information.

■ Instant messaging Instant messaging applications have grown to become a huge security issue because worm viruses such as the W32.Seesix worm replicate through the instant messaging software. Also, because most instant messenger applications allow sharing of files and the desktop, it is possible that the hacker could have free rein on the system.

■ P2P Peer-to-peer file-sharing applications pose a security risk in the sense that users are downloading files from untrusted sources. A lot of times, the files being downloaded contain malicious code that will cause harm to the system when executed.

■ Buffer overflow As mentioned earlier, a buffer overflow attack is when the hacker sends too much data to an application and is able to run arbitrary code that results in administrative access to the system.

Prevention TechniquesFollowing application security best practices is essential. Best practices fall into two major categories—ensuring that you validate input and that you apply patches to the applications you are using. The following are some other ways to protect your system from application attacks:

■ Application configuration baseline Ensure that you configure each of the applications with security in mind. This means that with each of the applications, you need to go through the options and verify that the application is configured in the most secure state. For example, Internet

06-ch06.indd 250 23/05/14 1:25 PM



Explorer comes with a number of options that control what type of content is allowed or forbidden in the browser. Another example would be that Microsoft Office comes with a macro security feature that you can configure to allow or disallow macros from executing.

■ Application hardening You need to disable features in applications that you do not want users to use. For example, if your company decides to use instant messaging, you can disable the file-transfer and desktop-sharing features in the instant messaging software and allow only chatting.

■ Application patch management It cannot be stressed enough that you need to patch your applications along with the operating system.

■ Cross-site scripting prevention An important method of preventing cross-site scripting is to validate the input into a web site for illegal characters in a particular field.

■ Cross-site request forgery prevention Cross-site request forgery is an application vulnerability where a web page may have code that references another site and that automatically uses the user’s cookie data for authentication if the cookie is present and has not expired. To prevent this type of attack, users should not choose the “Remember Me” option when logging in to a site. Also, developers could make cookies expire in a short time.

■ NoSQL databases vs. SQL databases NoSQL is the concept of developing a database system to store and retrieve large amounts of data, or Big Data. The NoSQL database is designed in a different manner than a traditional relational database system because the NoSQL database must be optimized for retrieval of large amounts of data. Relational database management systems are typically not optimized for retrieval of large data, but are optimized for insert and updates of records in the database.

■ Server-side vs. client-side validation Application developers need to validate any input that the application accepts. The validation code can be implemented either at the client (client-side validation) or at the server (server-side validation). You should implement validation at both the client and the server to gain the most security. Validation at the client will ensure that unnecessary traffic is not submitted to the server when data is valid, and implementing server-side validation gives you an extra layer of security by ensuring everything that reaches the server is then validated again.

06-ch06.indd 251 23/05/14 1:25 PM




Server Hardening Best PracticesThis section covers common practices you should follow to harden or secure different types of servers on the network. Some of these common practices may not apply to you if you are not in a secure environment because they may add some administrative burden to the organization. In highly secure environments where security is a primary goal, the security need outweighs the administrative burden.

All ServersBefore looking at popular types of servers and the common steps you should take to secure those servers, I want to stress steps that should be taken with all servers. The first thing you should do with any server is harden it so that only necessary software and services are installed on the system.

Once you have hardened the system, ensure that you have patched the system and applications that run on it. After patching the system, be sure to configure any policies such as password policies and account lockout policy, and enable auditing on the system.

Also, be sure to look at your user accounts. Disable unnecessary accounts and set strong passwords on remaining accounts. It is also a security best practice to rename default account names to something not easily guessed. For example, you could rename the account called Administrator to HAL12345.

HTTP ServersFor web servers, apply all the concepts mentioned in the preceding “All Servers” section, but also follow a few extra steps. First make sure web servers are placed in a DMZ—an area between the outside firewall and an internal firewall. The web server should be hardened so that no extra software or user accounts exist on the server.

Also, disable features of the web server that are not going to be used. For example, if your web site is using only static HTML pages, then be sure to disable all active content features such as ASP and server-side includes on the web server. Microsoft’s IIS gives you a screen where you can manage which add-ons (called extensions) are allowed or prohibited, as shown in Figure 6-12.

06-ch06.indd 252 23/05/14 1:25 PM

Server Hardening Best Practices 253


If the web server is not to be accessed by the public, then ensure that you disable anonymous access (which allows anyone to access the server) and enable authentication on the server. If you are working with confidential data on the web site, be sure to secure the web traffic with SSL.

DNS ServersTo harden your DNS server, you should apply all the steps from the previous “All Servers” section, but in addition, you should limit zone transfers on the DNS server. Zone transfers occur when the primary DNS server sends the DNS data to the secondary DNS server. If a hacker obtains the DNS data by doing a zone transfer, then they will know the IP addresses used by your different systems.

In the properties of your DNS server, you should see an option where you can limit which systems can receive zone transfers from your DNS server. You normally would make sure only your DNS servers are listed here. Figure 6-13 displays how to limit zone transfers on a Microsoft DNS server.

FIGURE 6-12 Disabling web server extensions in IIS

06-ch06.indd 253 23/05/14 1:25 PM



You can also block TCP 53—the port used by zone transfers—at your firewall so that someone outside the network cannot do zone transfers. This may not be an option if you have a secondary DNS server at another location across the Internet.

EXERCISE 6-4

Limiting DNS Zone TransfersIn this exercise, you ensure that DNS zone transfers on your Windows Server are limited to send zone transfers only to your secondary DNS servers.

1. Ensure that you have the 2012ServerA and Windows 8 VMs running. Log out of each system.

2. Log on to the 2012ServerA VM. From the Start screen choose DNS to launch the DNS management console.

FIGURE 6-13 Controlling DNS zone transfers

06-ch06.indd 254 23/05/14 1:25 PM



3. Expand 2012ServerA on the left and then expand Forward Lookup Zones. Right-click your DNS zone and choose Properties. For example, right-click certworld.loc and choose Properties.

4. In the zone properties, choose the Zone Transfers page tab.5. Enable the Allow Zone Transfers option and then select “Only to the following

systems.”6. Type 10.0.0.5 and then choose the Add button to add the Windows 8 system as

a system that can receive zone transfers from this DNS server. For this exercise, we will pretend that the Windows 8 system is our secondary DNS server.

7. Choose OK.8. Go to the Windows 8 VM and start a command prompt.9. Type the following commands into the command prompt (pressing enter

after each line). Your domain name, for example, might be certworld.loc:

nslookup ls <your_domain_name>

10. You should see the DNS data on the screen. If you try the same commands from a different system, you should get a “query refused” error.

DHCP ServersYou can help secure your DHCP servers by applying all the hardening techniques discussed in the “All Servers” section. But also apply a few additional steps, such as when you create a scope (IP addresses for the DHCP to give out), you can create only enough addresses for what is needed on your network. For example, if you have 20 systems that need addresses, you should create a scope that gives out only 20 addresses. The benefit is if an unauthorized individual connects to the network (system #21), then there are no available IP addresses in the scope for the DHCP server to give to the client system. The result is the system will be unable to communicate on the network.

On top of having only enough addresses in the scope, you can also implement address reservations where each of the 20 addresses you created in the scope has a MAC address associated with it. The benefit is that each address will be assigned only to the network card that has the MAC address associated with it.

06-ch06.indd 255 23/05/14 1:25 PM



SMTP Servers and FTP ServersWith both SMTP servers and FTP servers you should apply the hardening techniques discussed in the “All Servers” section, but you should also take your security practices a bit further.

When dealing with SMTP servers, make sure that you are protecting the server with a firewall, and open TCP port 25 to allow the SMTP server to pass through the firewall to reach the server. You also need to ensure that SMTP relaying is disabled on the SMTP server. SMTP relaying is the concept that your SMTP server forwards any SMTP message not destined for it onto the destination server. Relaying is a bad thing because a hacker could send spam messages to your server that your server then forwards to the destination. From the destination point of view, your server is doing the spamming!

With FTP servers, make sure that you limit who can upload files to the FTP server, and maybe allow only files to be downloaded from the server. You also should decide if anonymous access is allowed to the FTP server or whether you are going to force people to authenticate to the server. If you do force authentication, be sure that you do it in a secure way.

Mitigate Risks in Static EnvironmentsIn this section you learn about common techniques to mitigate risks in environments that use different types of technologies. In order to mitigate risks, you must understand the technologies and their related security risks.

Understanding EnvironmentsThe major challenge with mitigating security threats is the wealth of different products and technologies used by organizations today. As a security professional, you need to create, or at least advise on, how to create a secure environment for each of these technologies:

■ SCADA Supervisory Control And Data Acquisition (SCADA) is a special system used in industrial environments to monitor operations, for example, at a manufacturing plant. Physical security is an important part of your security in such an environment, as any tampering with any of the SCADA components can cause the monitoring and alarms to malfunction.

■ Embedded (Printer, Smart TV, HVAC control) Watch for devices that have embedded components that could potentially create risks. This includes any device connected to the network, such as a printer or smart TV, but watch for devices that include Bluetooth technology as well and implement hardening practices with those devices.

06-ch06.indd 256 23/05/14 1:25 PM



■ Android Mobile devices are the norm today, and it is important to understand how to secure mobile devices running the Android operating system. Be sure to understand how to auto-lock the device, implement device encryption, enable GPS tracking, and disable unnecessary features on the device.

■ iOS Apple devices such as iPhones and iPads run an operating system known as iOS. Just as you need to secure the Android devices, you must also look at implementing the same procedures with the iOS. Be sure to understand how to auto-lock the device, implement device encryption, enable GPS tracking, and disable unnecessary features on the device.

■ Mainframe Mainframe environments are no different from any other environment, and you should not forget to put some focus on security to protect the mainframe. Be sure to control who gains access to the mainframe environment by implementing firewalls and access control lists.

■ Game consoles Today’s gaming systems such as Xbox and PS3 are now full-fledged multimedia systems that are connected to the Internet. Be sure to look at hardening techniques on these systems and perform updates on them regularly.

■ In-vehicle computing systems If your organization has computer systems in vehicles, then ensure that you implement special security controls for those systems in addition to regular security practices. For example, if company vehicles are equipped with laptops, be sure to encrypt the data on the disk, implement a lockdown control that protects the device from being stolen, and disable unnecessary ports and network cards in the laptop.

Methods of MitigationYou have learned about some common strategies to reduce (mitigate) the likelihood that a security incident occurs, but I want to summarize those points here in a bulleted list for review for the certification exam:

■ Network segmentation Segmenting the network allows you to control which systems can communicate with one another on the network. You can use VLANs and IP subnets to create the network segments. In certain common scenarios, you will want to segment the network in order to separate the production systems from customer systems, for example, hotel guests or student systems in a classroom environment. You also want to segment top secret systems from other classified systems in a highly secured environment.

06-ch06.indd 257 23/05/14 1:25 PM



■ Security layers Implement security in layers by patching systems, using firewalls and network segmentation, and hardening systems.

■ Application firewalls Use application layer firewalls, as they allow you to filter traffic based on payload data in the packet.

■ Manual updates Perform updates of systems on a regular basis to ensure that any known security issues in the system are patched.

■ Firmware version control Be sure to apply firmware updates to devices such as routers and switches on a regular basis.

■ Wrappers When possible, you should use wrappers, such as TCP wrappers, to create connection policies to specific services on a system. For example, in Linux you can use the /etc/hosts.allow file to specify systems that can access services such as the FTP or HTTP service.

■ Control redundancy and diversity Controlling redundancy and diversity is the security principle of ensuring that you diversify the products used to create layers of security. For example, if you decide that you wish to have multiple firewalls between your internal network and the Internet, you could create multiple layers of firewalls that a hacker will need to compromise in order to get access to the internal network. If you used the same firewall product at each layer, when the hacker figures out how to compromise the first firewall, he can easily bypass the remainder. If you purchase different firewall products to use at each layer, each will have different vulnerabilities, and the hacker will need to take the time to figure out how to get past each one instead of using knowledge gained from the first one.

CERTIFICATION SUMMARYIn this chapter you learned about methods to mitigate common security threats to systems and applications. The following key points should be remembered when preparing for the Security+ certification exam:

■ All systems should be hardened, which is the removal of unnecessary software and the disabling of unnecessary services.

■ When hardening a system, investigate each of the services running on the system, and determine if the service is needed. If the service is not needed, then it should be disabled.

06-ch06.indd 258 23/05/14 1:25 PM



■ As part of hardening a system, make sure that you disable unnecessary accounts and rename the default accounts such as “administrator.” Also be sure to patch the system on a regular basis.

■ Network devices such as switches should be hardened as well. Be sure to update the firmware on the routers and switches. In highly secure environments, disable unused ports on the switch, and configure port security on used ports, which is a feature that associates a particular MAC address with a port.

■ The 802.1x standard is known as a port access control standard and controls who has access to a wired or wireless network by using a central authentication server such as RADIUS.

■ Of the many software tools you can use to help with system hardening, two common methods are security templates and group policies. You can use a security template to help create your security baseline, and group policies are a method used to apply restrictions on the system.

■ To secure your application environment, the developers must validate any input that is submitted into an application before processing the information. As a network administrator, you can harden the application by removing unnecessary features and can create an application security baseline by configuring the application in a secure state.

06-ch06.indd 259 23/05/14 1:25 PM



TWO-MINUTE DRILL

Understanding Operating System Hardening ❑ The goal with operating system hardening is to reduce the attack surface of a

system by removing unnecessary software and disabling unneeded services. ❑ Ensure you disable unwanted user accounts and rename default account

names. ❑ Plan your patch management strategy. It is important that patches are tested

before being deployed and that you are patching systems on a regular basis.

System Hardening Procedures ❑ Start your hardening procedures by hardening the network devices such as

routers and switches. The first step is to update the firmware on the device. ❑ Disable any unused ports on the network switch so that unauthorized persons

cannot connect to an available port. ❑ Implement port security on the switch to limit which system can connect to a

particular port on the switch. Also, use MAC filtering to filter which systems can send data to other systems on the network.

❑ For the exam, remember that 802.1x is a network access control standard that allows you to control who can connect to the network by using a central authentication server such as a RADIUS server.

❑ Group policies are a method to configure all the systems from one central location in an Active Directory environment. You can configure group membership and services running, and can control the desktop appearance through group policies.

❑ Security templates are a great way to create a security baseline. A security template is a text file that has policy settings in it that can then be imported into systems or Active Directory.

❑ A security baseline is a standard configuration that has been approved as being the configuration needed to place a system in a secure state.

✓

06-ch06.indd 260 23/05/14 1:25 PM

Two-Minute Drill 261


❑ To establish and maintain a good security posture, you must first apply a security baseline and then continuously monitor the state of the system with tools such as vulnerability scanners. The final step is to fix any errors in the configuration of the system as a result of the monitoring.

Establishing Application Security ❑ One of the key points to remember for the Security+ exam is that establishing

application security means starting with good coding practices by the developers. Developers must implement good exception handling and proper input validation on any data inputted by the user of the application.

❑ Be sure to harden any applications that are being used by disabling unnecessary features that may cause a security risk.

❑ Ensure that applications are patched.

Server Hardening Best Practices ❑ All servers should be hardened and patched. ❑ Web servers should be hardened, but also ensure that the web server is placed

in a DMZ (if it’s an Internet server) and is protected by the firewall. Also, disable web server features that are not going to be used.

❑ To secure your DNS servers, they should also be placed in the DMZ and have port UDP 53 open on the firewall to allow the DNS queries to reach the DNS server. Be sure to limit zone transfers on the DNS server to only your secondary DNS servers, and block TCP 53 at the firewall if you are not doing zone transfers to secondary DNS servers on the Internet.

❑ In highly secure environments, configure DHCP reservations, which associate each IP address with a specific MAC address. This will ensure that an unauthorized system on the network does not receive an IP address from the DHCP server.

❑ SMTP servers should have SMTP relaying disabled, while the FTP server should implement authentication to control who has access to the files on the FTP server.

06-ch06.indd 261 23/05/14 1:25 PM



SELF TESTThe following questions will help you measure your understanding of the material presented in this chapter. Read all the choices carefully because there might be more than one correct answer. Choose all correct answers for each question.

Understanding Operating System Hardening

1. Which of the following actions are performed during system hardening?A. MAC filteringB. Disabling unnecessary servicesC. Port securityD. 802.1x authentication

2. Your manager has read about the need to uninstall unnecessary software and disable unnecessary services from a system. What is the purpose of performing these hardening techniques?A. Close ports on the systemB. Assess vulnerabilityC. FuzzingD. Reduce the attack surface

3. A software vendor has found out about a critical vulnerability within their software product that causes a severe security risk to the system. The software vendor will ship which type of patch that should be applied to systems immediately?A. PatchB. Service packC. Hot-fixD. Update

4. You are planning a security assessment strategy for all systems and mobile devices used within the organization. When assessing mobile devices such as phones, what should you look for?A. Ensure the phone is password protected.B. Ensure no texting software is installed.C. Ensure the phone is not running a mobile OS.D. Ensure the phone is not configured for e-mail.

06-ch06.indd 262 23/05/14 1:25 PM

Self Test 263


System Hardening Procedures

5. Which of the following security technologies involves controlling access to a wired or wireless network using a central authentication server such as RADIUS?A. Port securityB. 802.1xC. MAC filteringD. Firewall

6. What feature of a network switch allows you to control which system can be physically connected to a specific network port by its MAC address?A. 802.1xB. MAC filteringC. FirewallD. Port security

7. A new network administrator in the office has been reading about the company requirement that all systems have the initial security baseline applied. They are looking at a listing of 50 different policy settings that need to be applied and are wondering if there is an easy way to deploy the settings. What should they do?A. Configure the settings in the local security policies.B. Import a registry file.C. Use a security template.D. Build a macro.

8. What type of reporting mechanism should a system or application use to notify the administrator of an event that requires immediate attention?A. AlertB. TrendC. LogD. Alarm

Establishing Application Security

9. The software testing team is responsible for testing the applications by inputting invalid data into the fields of the applications. What is this called?A. FuzzingB. Input validationC. Exception handlingD. Error handling

06-ch06.indd 263 23/05/14 1:25 PM



10. Your manager is worried about the security of the applications created by the in-house developers. From a security point of view, what recommendation would you make to the manager as the No. 1 rule for developers to follow?A. Create user-friendly applications.B. Validate all data inputted.C. Ensure the focus is on usability.D. Create nice input screens.

11. How are developers of programming languages such as .NET and Java to deal with runtime errors occurring in an application?A. Validate input.B. Ignore them.C. Use exception handling.D. Verify the syntax.

12. What type of application attack involves the hacker inputting data into a web site that contains script code that will execute when the page is viewed by another visitor?A. ActiveXB. Java appletsC. Macro virusD. Cross-site scripting

Server Hardening Best Practices

13. Your company has a primary DNS server at its head office and a secondary DNS server at two other offices around the world. What should you do to secure the DNS data?A. Allow zone transfers only to the head office DNS server.B. Limit zone transfers to the IP addresses of the secondary servers.C. Block TCP port 53 on the firewall in the head office.D. Block UDP port 53 on the firewall in the head office.

14. Which of the following identifies a security concern with SMTP servers?A. Relaying of messagesB. Zone transfersC. E-mail spoofingD. Invalid address assignment

06-ch06.indd 264 23/05/14 1:25 PM

Self Test 265


15. Your manager would like to implement additional security measures on the DHCP server. What actions would you recommend? (Select two.)A. Disable zone transfers.B. Modify the scope to include only one address for each host on the network.C. Deactivate the scope.D. Configure an address reservation for each of the addresses in the DHCP scope.E. Disable DHCP.

Performance-Based Question

16. Using the exhibit, match the mitigation technique on the left side to the type of security it is associated with, either application security or infrastructure security.

Infrastructure Security

Implement Exception Handling

Disable Unused Interfaces

Fuzzing

Implement 802.1x

Scan for Rogue WAPs

Implement Input Validation

Implement Port Security

Application Security

06-ch06.indd 265 23/05/14 1:25 PM



SELF TEST ANSWERSUnderstanding Operating System Hardening

1. ☑ B. System hardening involves disabling unnecessary services and uninstalling unnecessary software from the system. System hardening also involves disabling unused accounts and patching the system. ☐ ✗ A, C, and D are incorrect because they are all network hardening techniques and not system hardening techniques. MAC filtering controls which systems can send data to other systems, port security controls which systems can connect to a port by MAC address, and 802.1x controls who has access to a wired or wireless network by using a central authentication server.

2. ☑ D. When you harden the system by uninstalling unneeded software and disable unnecessary services, you are reducing the attack surface of the system. ☐ ✗ A, B, and C are incorrect. Although removing some software may close ports on the system, choice D is the better answer. Assessing vulnerability identifies what the vulnerabilities are on the system—it doesn’t harden the system. Fuzzing is a software-testing procedure where invalid data is entered into an application to see how the application responds.

3. ☑ C. Hot-fix is the term used for an update to a piece of software that should be applied immediately. ☐ ✗ A, B, and D are incorrect. A patch is a fix to a software error that does not necessarily need to be applied immediately. A service pack contains all the patches and hot-fixes since the previous service pack or release of the software. An update is a general term for applying patches to a system.

4. ☑ A. When working with mobile devices, ensure that employees password protect the device so that if it is lost or stolen, the data on the device is not easily accessible. ☐ ✗ B, C, and D are incorrect. You will need to run a mobile OS on the phone, and features like texting and e-mail are popular features that will most likely be used by the employee, so they cannot be disabled.

06-ch06.indd 266 23/05/14 1:25 PM

Self Test Answers 267


System Hardening Procedures

5. ☑ B. The 802.1x standard controls access to a wired or wireless network by using a central authentication server such as RADIUS. ☐ ✗ A, C, and D are incorrect. Port security controls which systems can connect to a port by MAC address. MAC filtering controls which systems can send data to other systems, and a firewall controls what traffic is allowed to enter or leave the network.

6. ☑ D. Port security controls which systems can connect to a port on a switch by configuring the port for a specific MAC address. ☐ ✗ A, B, and C are incorrect. The 802.1x standard controls access to a wired or wireless network by using a central authentication server such as RADIUS. MAC filtering controls which systems can send data to other systems, and a firewall controls what traffic is allowed to enter or leave the network.

7. ☑ C. Security templates are a great way to help create a security baseline for systems because you can configure a number of “policy” settings in the security template file and then import the template into a system. ☐ ✗ A, B, and D are incorrect. Configuring the settings in the local security policies of each system will take too much time—better to use security templates and then import the template into the local security policy. Importing a registry file will not work because these are policy settings, so a template should be used if you are looking to do an import. Macros are not a part of system configuration.

8. ☑ D. An alarm is a reporting method that notifies the administrator of a security event and expects immediate action. ☐ ✗ A, B, and C are incorrect. An alert is a notification that may not require corrective action from the administrator. A trend is what you look for when analyzing system or network activity, and a log may be viewed to see activity on a system or application.

Establishing Application Security

9. ☑ A. Fuzzing is the testing of application security by inputting invalid data into the fields of the application to see how the application responds. ☐ ✗ B, C, and D are incorrect. Input validation is an important requirement of developers where they check every piece of data inputted into the application before processing it. This will help prevent buffer overflow and injection attacks into the application. Exception handling and error handling are logic added to the application to help prevent runtime errors (crashes) from occurring.

06-ch06.indd 267 23/05/14 1:25 PM



10. ☑ B. Developers must validate all data inputted into the application. ☐ ✗ A, C, and D are incorrect because they all deal with ensuring the application is easy to use, but have nothing to do with creating a secure application.

11. ☑ C. Exception handling is a popular method of trapping runtime errors (exceptions) and showing a user-friendly error message instead of having the application crash. ☐ ✗ A, B, and D are incorrect. Input validation is an important requirement of developers where they check every piece of data inputted into the application before processing it. Ignoring runtime errors is not an option because they cause the application to crash. Because there is no problem with the syntax of the application, verifying the syntax will not help you here.

12. ☑ D. Cross-site scripting involves the hacker inputting data into a web site that contains script code that will execute when the page is viewed by another visitor. ☐ ✗ A, B, and C are incorrect. ActiveX and Java applets are programming components that are used by applications such as a web site, and a macro virus is a virus written with a macro language that comes with software.

Server Hardening Best Practices

13. ☑ B. To help secure your DNS server, you will ensure that zone transfers are limited to delivering the DNS zone data only to the secondary DNS servers. ☐ ✗ A, C, and D are incorrect. The head office server is the primary DNS server, so it does not receive zone transfers. You cannot block TCP 53 at the firewall in this case because that is the port that zone transfers run over, and you need that port open so the secondary servers can do the zone transfers. Blocking UDP 53 is not an option because it is used by DNS queries and not zone transfers.

14. ☑ A. Ensure that SMTP servers are not relaying SMTP messages because hackers could then send spam messages to your server to relay them to the destination. ☐ ✗ B, C, and D are incorrect. Zone transfers are a security issue related to DNS and not SMTP. E-mail spoofing is the modifying of the source address of a message, and invalid address assignment would be a DHCP issue.

15. ☑ B and D. You can secure your DHCP environment by limiting the number of addresses assigned by your DHCP server and reserving each of the addresses. ☐ ✗ A, C, and E are incorrect. Zone transfers are a security issue related to DNS. You cannot deactivate the scope or disable DHCP because those solutions will make the DHCP unable to give out addresses.

06-ch06.indd 268 23/05/14 1:25 PM

Self Test Answers 269


Performance-Based Question

16. The following image displays the results of the question. The real exam may expect you to drag the boxes from the left side of the screen onto the correct category box on the right side of the screen.

Infrastructure Security

Implement Exception Handling

Disable Unused Interfaces

Fuzzing

Implement 802.1x

Scan for Rogue WAPs

Implement Input Validation

Implement Port Security

Application Security

06-ch06.indd 269 23/05/14 1:25 PM

CompTIA Security+ Certification Study Guide,blackhawk.cs.mercer.edu/courses/David Cozart/IST...

Documents

Transcript of CompTIA Security+ Certification Study Guide,blackhawk.cs.mercer.edu/courses/David Cozart/IST...